I'm currently doing research on cracking encrypted, compressed files (specifically: uif, zip, 7z, dmg). Looking at all the utilities out there, it seems the time it takes to crack something is greatly reduced when a better idea of password length/character set is known (this is obvious to me from prior experience in brute forcing/dictionary attacks). Is there a way to forensically analyze the encrypted compressed files themselves to get more information on the password, the hash it uses, etc in order to optimize cracking?

3 Answers
3

Any good encryption generates a uniform distribution of characters, making it look very close to randomness. Thus you cannot figure out what kind of crypto simply by looking at the ciphertext.

I guess the closest you could come to that is if crypto X produces output in 128byte increments and crypto Y produces 64byte blocks, then if your ciphertext is on a 64byte boundary that isn't also a 128byte boundary then it, then it has to be crypto Y. The problem is a lot of cryptos produce similarly sized blocks so you're guessing among many different algorithms.

@Bruno: absolutely, PKZIP uses/used a custom stream cipher which can be attacked with only a dozen of known plaintext bytes, and cost about 2^38 (i.e. a few minutes). However, newer ZIP utilities tend to use AES instead, which is much more robust.
–
Thomas PorninMay 3 '11 at 10:45

Is there any way of knowing if it's AES vs. PKZIP? Also, I have been using fcrackzip, are there any other tools that are more efficient at brute forcing?
–
mrnapMay 4 '11 at 21:45